Hi,
as reported in <http://bugs.debian.org/661536>, there are two format
string errors in DBD-Pg that are caught by gcc -Werror=format-security.
dbdimp.c: In function 'pg_warn':
dbdimp.c:331:4: error: format not a string literal and no format
arguments [-Werror=format-security]
dbdimp.c: In function 'pg_st_prepare':
dbdimp.c:1534:4: error: format not a string literal and no format
arguments [-Werror=format-security]
cc1: some warnings being treated as errors
These strings can be controlled by a malicious server, so Debian will be
issuing security updates for this. I'm not aware of a CVE id yet, but I
expect one will be allocated. I won't write details here, let me know if
you need a test case.
It's unfortunate that this become public straight away, but our security
team judged there was no point in keeping quiet about the impact when
the build error was already known. Apologies for the inconvenience.
Trivial patch attached.
Thanks for your work on DBD-Pg,
--
Niko Tyni
ntyni@debian.org

Thanks for the quick release! I can confirm that 2.19.0 is no longer
vulnerable according to my testcases.
FYI, this has been assigned CVE-2012-1151.
http://seclists.org/oss-sec/2012/q1/609
--
Niko Tyni ntyni@debian.org